Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

MDL-21858 improved input validation

  • Loading branch information...
commit 031afaa59c115859958ed7032544301a31974faf 1 parent 9c170e2
@skodak skodak authored
Showing with 9 additions and 4 deletions.
  1. +9 −4 lib/datalib.php
View
13 lib/datalib.php
@@ -1878,9 +1878,14 @@ function add_to_log($courseid, $module, $action, $url='', $info='', $cm=0, $user
// so it has been optimised for speed.
global $db, $CFG, $USER;
- if ($cm === '' || is_null($cm)) { // postgres won't translate empty string to its default
- $cm = 0;
- }
+ // sanitize all incoming data
+ $courseid = clean_param($courseid, PARAM_INT);
+ $module = clean_param($module, PARAM_SAFEDIR);
+ $action = addslashes($action);
+ // url cleaned bellow
+ // info cleaned bellow
+ $cm = clean_param($cm, PARAM_INT);
+ $user = clean_param($user, PARAM_INT);
if ($user) {
$userid = $user;
@@ -1897,7 +1902,6 @@ function add_to_log($courseid, $module, $action, $url='', $info='', $cm=0, $user
}
$timenow = time();
- $info = addslashes($info);
if (!empty($url)) { // could break doing html_entity_decode on an empty var.
$url = html_entity_decode($url); // for php < 4.3.0 this is defined in moodlelib.php
}
@@ -1911,6 +1915,7 @@ function add_to_log($courseid, $module, $action, $url='', $info='', $cm=0, $user
$info=$tl->substr($info,0,252).'...';
debugging('Warning: logged very long info',DEBUG_DEVELOPER);
}
+ $info = addslashes($info);
// Note: Unlike $info, URL appears to be already slashed before this function
// is called. Since database limits are for the data before slashes, we need
// to remove them...
Please sign in to comment.
Something went wrong with that request. Please try again.